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Step 315 


Checksum is calculated - modify any layer below this causes an invalid checksum to be calculated 


Step 314 


The polymorphic decryption engine is started using running line - modify any layer below or above 
this will cause the decryption to fail 


Step 313 


Validate the checksum calculated in step 315 - any modification will cause a checksum error 


Step 312 


Erase the previous block - destroy above layers in memory, making rebuilding very tedious 


Step 311 


Fill internal import table - import table in the EXE is bogus; tamper with this layer and the EXE will 
not work 


Step 310 


Start running line with CRC, erase previous block, decode next block with CRC key - a single byte 
change in a layer above or below will destroy the next block of data 


Step 309 


Decrypt sections of running line - running line is based on the EXE CRC; modification of any layer 
will cause invalid data 


Step 308 


CRC PE header - store CRC for checking at a lower level 


Step 307 


Install timer code to trigger a CRC check 


Step 306 


Create import table - using layer at step 311 to determine the actual import table to be used 


Step 305 


Decrypt resource sections - decrypt based on all layers above and below; any change will result in 
invalid data 


Step 304 


Erase previous; decrypt next - delete parts of the EXE as each block is decrypted, making a ML 
rebuild very difficult 


Step 303 


Decode entry point and jump to it - decrypt the original entry point of the program based on all above 
layers; begin execution of the original program 


Step 302 


Check for breakpoint on each API call made and delete any hardware breakpoints - stops debugging 


Step 301 


Verify against modification every 'n J seconds - checks for debuggers; compares memory CRC with 
disk CRC from layer at step 315 
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Original Instruction 


Replacement Options 


Functional Loop 


Loop 




dec counter / jnz 




dec counter /jns 




dec negfcounter] / jz 




dec /cmp /jump far 


Zero reg 


xor reg,reg 




sub reg,reg 




mov reg, 0 


MOV 


mov reg,value 




zero reg (see variations) + add reg, value 




zero reg (see variations) + sub reg,value 


load reg - load reg 1 from [reg2] 


mov reg, [Reg2] 




lods[b/w/d] 


store reg - stores regl to [reg2] 


mov [reg2], regl 




stos[b/w/d] 


add/sub/inc/dec 


add reg, value 




sub reg, neg value 




inc reg / conditional loop 




dec reg / conditional loop 


Call/jmp 


Push return address 
JMP address 




Call address 
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Instruction (function required) 


Actual Instruction used 


Mov 


Randomly selected from Fig. 10 


Add 


Randomly selected from Fig. 10 


Sub 


Randomly selected from Fig. 10 


Xor 


Use as is 


Cmp 


Use as is 


Inc 


Randomly selected from Fig. 10 


Dec 


Randomly selected from Fig. 10 


Mov to register 


Randomly selected from Fig. 10 


Add to register 


Randomly selected from Fig. 10 


Sub to register 


Randomly selected from Fig. 10 


Xor to register 


Use as is 


Giro to register 


Use as is 


Move register to register 


Randomly selected from Fig. 10 


Pmn re 01 ster to register 


Randomly selected from Fig. 10 


Add register to register 


Randomly selected from Fig. 10 


Sub register to register 


Use as is 


One 


Use as is 


Jmp 


Randomly selected from Fig. 10 


Call 


Randomly selected from Fig. 10 


Or 


Use as is 


And 


Use as is 


Test 


Use as is 
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Opcode 


lMYipmnnipc 


XUllVl J ]J It'll 

Opcode* 


liVn ri*vn t<*fl 

jujiivi v if ivu 

Mnemonics 


Rant 


nip Dprrvnfinn 


Opcode 


Mnemonics 


1 


8B06 


MOV EAX, DWORD PTR 
!ESH 


98 06 


CWDE; PUSHES 


98 06 


CWDE; PUSHES 


2 


83F8 00 


CMP EAX, 0 


90F8 00 


NOP 
CLC 


83F8O0 


CMP EAX, 0 


3 


74 03 


JZLOC 1 


67 03 


ADD EDI+3,AH 


67 03 


ADD EDI+3,AH 



♦Key = 0x13 
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1000 
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14A9 
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1A02 


2 


280C 


3 


3A10 


1 
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Index 


API 


0 


MessageBoxA* 


1 


CreateWindowExA 


2 


ExitProcess 


3 


WriteFile 







* These a place holders not "real" text Also they 
are encrypted in this table, not plain as shown here. 
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T?TP 

lit MM. 


API Call 

111 JL X><44A& 


Mutated API Call 


UAlvWv 


CALL fMessaeeBoxAl 


CALL [polymorph engine] 










CALL [CreateWindowExA] 


CALL f polymorph engine] 

«: — _ H — — 2_ — J 










JMP lExitProcessl 


CALL [polymorph engine] 




PUSH EBX 






CALLEAX 










0x280C 


MOV EBP, [WriteFilel 


CALL [polymorph engine] 




CALL EBP 












CALL EBP 










0x3 A10 


CALL fCreateWindowEXA] 


CALL [polymorph engine] 
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Original Code 


Opcode 


Replacement Code 


Replacement Opcode 


CaUdwordptrfAPI] 


FF 15 xx xx xx xx 


Call dword ptr [polymorph engine] 


FF 25 xx xx xx xx 


Jmp dword ptr [API] 


FF 25 xx xx xx xx 


Call dword ptr [polymorphengine] 


FF 25 xx xx xx xx 


Mov eax, dword ptr [API] 


Al xx xx xx xx 


Call polymorph engine 


E8 xxxxxxxx 


Mov eax, dword ptr [API] 


8B 05 xx xx xx xx 


Call polymorph engine 
DB XI 


E8 xx xx xx xx XI 


Mov ebx 5 dword ptr [API] 


8B ID xxxxxxxx 


Call polymorph engine 
DBX2 


E8 xx xx xx xx X2 


Mov ecxj dword ptr [API] 


8B OD xxxxxxxx 


Call polymorph engine 
DBX3 


E8 xx xx xx xx X3 


Mov edx, dword ptr [API] 


8B 15 xxxxxxxx 


Call polymorph engine 
DBX4 


E8xxxxxxxxX4 


Mov edi, dword ptr [API] 


8B 3D xx xx xx xx 


Call polymorph engine 
DBX5 


E8 xxxxxxxx X5 


Mov esi, dword ptr [API] 


8B 35 xxxxxxxx 


Call polymorph engine 
DBX6 


E8 xx xx xx xx X6 


Mov esp, dword ptr [API] 


8B 25 xx xx xx xx 


Call polymorph engine 
DBX7 


E8 xx xx xx xx X7 


Mov ebp, dword ptr [API] 


8B 2D xx xx xx xx 


Call polymorph engine 
DBX8 


E8 xx xx xx xx X8 



XI - 8 can be any of the following: EAX, EBX, ECX, EDX, ESI, EDI, EBP, ESP. 
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